Three Common HIPAA Violations for Healthcare Professionals

With this in mind, here are three of the more common HIPAA violations that tend to occur in provider agencies and other medical practices.

HIPAA Origins

In 1996, The Health Insurance Portability and Accountability Act (HIPAA) was first enacted into law. The purpose of the act is to protect a patient's health records information (PHI). In order to accomplish this, standards were created that help to ensure that medical data is private and secure.

These regulations explicitly state that if healthcare professionals knowingly, or unknowingly, are caught violating this law, there are financial penalties. In the years that followed, new trends and regulations have become more complex, sometimes creating concerns among physicians and other healthcare professionals. Medical practices and their support staff should clearly understand what behavior creates a HIPAA violation.

HIPAA Civil & Criminal Penalties

For minor infractions, there are civil penalties for HIPAA violations. For an accidental violation, the penalties range from $100 to $50,000 for each violation. After this, the penalties increase depending on whether the violation was due to reasonable cause or willful neglect.

At the maximum level, willful neglect that is not corrected, the penalty could be as high as $50,000 for each violation. At this HIPAA violation level, the maximum annual fine is $1.5 million. The criminal HIPAA violations include possible financial penalties as well as prison time.

Similar to the civil penalties for HIPAA violations, there are a range of penalties. The most severe penalty level for a criminal violation of HIPAA carries fines of $250,000 and a maximum prison sentence of 10 years. Beyond healthcare providers, criminal HIPAA penalties can also include insurance plans, Medicare prescription drug card sponsors and medical clearinghouses.

There are many ways to violate the laws that have developed around HIPAA regulations, but the examples below are some of the more common methods.

1: Insecure PHI Data Storage:

Health professionals need to make sure that safeguards are in place for the secure storage of PHI data. This includes tools like administrative access-only controls and encryption capabilities. If secure data storage is not in place, a data breach may occur.

Sometimes these data breaches are not even that technically sophisticated. Having sensitive data that is readable by all or not encrypted is easily accessed and potentially stolen.

A way to help ensure that a “hack” or data breach does not happen is to follow general IT security protocols. A few of these protocols include:

• Restricting staff access to potentially dangerous or high-risk websites. This can include the dark web, some social media, some online forums and adult websites.
• Making sure some type of firewall is installed. One of the easiest to deploy is a WAF (web application firewall) which will filter, monitor and block some internet traffic to a designated website.
• Implementing access controls for sensitive data. As data becomes more sensitive, fewer people should have access to it. The types of access control are mandatory, discretionary and role-based access control.
• Using strong passwords with regular password rotation. Pet names and ABC123 are not good passwords. Ideally, passwords should be updated every 60 to 90 days.

2: Employee Abuse of PHI

Healthcare providers are constantly handling sensitive patient data. Due to this fact, they are one of the most typical reasons for a HIPAA violation. Clinicians and/or other staff members may send PHI data in an unsecured email account or physically take the data out of the medical office.

Other cases may involve accidentally posting images of PHI on social media or leaving information out in the open and unattended. With the expansion of telehealth services, healthcare providers need to especially be careful when using videoconferencing technology.

A lack of technological knowledge can have a substantial impact. Staff members may not realize that their personal computer is not secure. However, they may still download and view PHI data on their device. If the device is unauthorized or the download was performed through a non-secure computer/WIFI network, there is a high probability that a HIPAA regulation was violated.

3: Unauthorized or Improper PHI Access

Direct care and office staff handle an increasing amount of PHI data. However, only authorized personnel and parties are allowed to access this data. Otherwise, sharing PHI data with an unauthorized third party is a HIPAA violation. Examples of this include sharing data with unauthorized family members or accidentally giving PHI data to the wrong patient.

PHI data is typically accessed by the patient in question, healthcare providers, pharmacies and billing staff. Any entity outside of this description is usually not authorized to access PHI. Otherwise, there is a risk of improperly sharing PHI data.

Between April 2003 and August 2020, according to the U.S. Department of Health & Human Services, there were a total of 242,743 rule complaints. During the same period, out of these complaints, there were a total of 40,847 HIPAA investigations. In some of these violations, employees accidentally released PHI data.

Yet, even when done unknowingly, employees and practices are still legally responsible. HIPAA compliance and violations are a topic not to be taken lightly.

About Our Company

RevUp Billing provides experienced and professional revenue cycle management services for I-DD Waiver provider agencies. Our other services include EVV & workforce scheduling software services (eWebSchedule) for I-DD provider agencies.

For additional questions about HIPAA policies and regulations, as well as other related billing topics – contact us.

RevUp Billing provides trusted and experienced billing services for healthcare practitioners. Like, subscribe and follow RevUp Billing on Facebook, Instagram, LinkedIn & Twitter.

Updated from original article published on September 20, 2020